Infected by ransomware, hospitals around the country have been forced to pay hefty sums to criminal hackers.
One of the most extreme cases took place in February, when Hollywood Presbyterian Medical Center handed over $17,000 to hackers who took over its systems. Since then, two other hospitals in California, as well as in Kentucky and Maryland, were also hit.
While ransomware isn’t new, it was rare in the past for hospitals to be targeted, according to Kevin Haley, director of Symantec Security Response.
What changed? That $17,000 payday made headlines.
“This was a very public case of a hospital paying a great deal of money to make a problem go away,” Haley told NBC News. “I think it led to the targeting of these organizations.”
It wouldn’t be such a pressing problem if hackers were attacking other types of businesses. But hospital computers contain a wealth of sensitive data from patients, and staff need to be able to communicate 24 hours a day. The rise of smart medical devices, which can also be hacked, have raised the stakes even higher.
More money, more problems
Ransomware is malware that infects a computer and then encrypts files until victims pay to have them unlocked. Usually, hackers target individuals for $300 to $400 each, Haley said. But the rise of bitcoin has made demanding large amounts of money more feasible.
Bitcoin is a digital currency traded anonymously. In the past, ransomware was disguised as virus protection software or a message from the FBI in the hopes of tricking someone into handing over their credit card number. With bitcoin, there is no need for deception. Hackers don’t need to hide their intentions because the transactions are so difficult to track.
Hollywood Presbyterian Medical Center confirmed that it paid 40 bitcoins, equivalent to around $17,000, to bring its systems back online. The other recent attacks also involved demands for bitcoin. No longer do criminals need complicated schemes to funnel cash.
“Bitcoin takes a little bit of sophistication, but overall, it isn’t anything you can’t learn by going on Wikipedia,” Ed Cabrera, vice president of cybersecurity strategy for Trend Micro, told NBC News.
Pair that with the fact that ransomware isn’t incredibly difficult for your average hacker to acquire, and you have a formula for disaster. Overall, according to statistics from Symantec, there was an average of 1,000 ransomware attacks per day in 2015, an increase of 35 percent from the year before. This year, there have been days where that number has reached 4,000. Very few of them are attacks against hospitals, of course, but that could change as hackers eye bigger and bigger ransoms.
“Everybody is running from whatever they were doing to this,” Haley said, “because the dollars are big, the risk is low, and it’s easy to get into.”
Hospitals become targets
Last month, ransomware hit three California hospitals — Desert Valley Hospital, Chino Valley Medical Center and Alvarado Hospital Medical Center — run by Prime Healthcare, forcing them to shut down their systems. Radiology and “other ancillary services” were down for several days, a company spokesperson told NBC News, but no patient or employee records were compromised.
In the end, Prime Healthcare was able to recover without paying the ransom. But there is a lot of pressure on hospitals to do the opposite. Hollywood Presbyterian said in a statement sent to NBC News that it handed over the $17,000 in the “best interest of restoring normal operations” after communications within the hospital were completely shut down.
Unfortunately, preventing these kinds of attacks in the future won’t be easy.
“There are a lot of different layers to a hospital,” Cabrera said. There are patient and outpatient records, insurance documents, internal communications and a host of other files being handled by multiple vendors. And if it all fails? People with serious health problems could be denied care.
Despite how critical their operations are, most hospitals lag behind financial institutions and other businesses that have been dealing with these kinds of attacks for years, according to Cabrera.
“As a whole, you look at healthcare, and it’s not at the leading edge when it comes to cybersecurity,” he said.
Most often, ransomware infects a computer through an email attachment. Hospitals not only need to beef up security so they can detect malicious files earlier, they also have to train employees not to open them. Constantly patching vulnerabilities is vital, too, according to Cabrera.
All of this takes money. The healthcare industry is "ill-prepared" to face these threats, according to a report from ABI Research, because it "spends very little on cybersecurity, comparatively to other regulated critical industries." The report claims that less than 10 percent of cybersecurity spending by 2020 will be from the healthcare industry.
Hospitals also have to spend to develop contingency plans in case things go wrong. That includes deciding which files get backed up and how often.
Prime Healthcare said that it had "multiple levels of backup" that protected important files from being affected, and that it worked with "national expert incidence response firms" to respond quickly to the attacks.
Fortunately, nobody was hurt during the ransomware incidents. For hospitals, the worst-case scenario involves hackers taking over smart devices that monitor vital signs and deliver drugs.
“If it has an IP address and an attacker can reach it, it becomes fair game,” Cabrera said.
The negatives might not outweigh the positives in healthcare when it comes to the Internet of Things (IoT). By 2025, according to a McKinsey report, remote monitoring with smart devices could create as much as $1.1 trillion a year in value by improving the health of people with chronic diseases.
Right now, said Cabrera, patients can probably rest easy. It's not worth it for hackers to go after smart devices, he said, since traditional networks are so easy to target and lucrative to attack. But IoT security is something that hospitals will increasingly have to watch.
In the end, it falls on the leadership of hospitals to make sure cybersecurity is a priority, because there really isn't much patients can do to protect themselves.
“If these attacks make hospitals take a hard look at their security and take these threats seriously, in the end it could be a good thing,” Haley said. “This is a risk they can’t ignore anymore.”